/[smecontribs]/rpms/sqlite/contribs9/sqlite-3.7.14-printf-overflow.patch
ViewVC logotype

Annotation of /rpms/sqlite/contribs9/sqlite-3.7.14-printf-overflow.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Feb 27 19:41:49 2018 UTC (6 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: sqlite-3_7_17-8_el7, sqlite-3_7_17-9_el6_sme, HEAD
Initial import

1 jpp 1.1 # Fix for stack buffer overflow in src/printf.c, backpotred from upstream
2     # Bugzilla: rhbz#1212357
3     # Original fix: https://www.sqlite.org/src/info/aeca95ac77f6f320
4    
5     diff -up sqlite-src-3071700/src/printf.c.old sqlite-src-3071700/src/printf.c
6     --- sqlite-src-3071700/src/printf.c.old 2015-07-03 10:54:17.644940587 +0200
7     +++ sqlite-src-3071700/src/printf.c 2015-07-03 11:52:50.704122467 +0200
8     @@ -233,14 +233,17 @@ void sqlite3VXPrintf(
9     width = va_arg(ap,int);
10     if( width<0 ){
11     flag_leftjustify = 1;
12     - width = -width;
13     + width = width >= -2147483647 ? -width : 0;
14     }
15     c = *++fmt;
16     }else{
17     + unsigned wx = 0;
18     while( c>='0' && c<='9' ){
19     - width = width*10 + c - '0';
20     + wx = wx*10 + c - '0';
21     c = *++fmt;
22     }
23     + testcase( wx>0x7fffffff );
24     + width = wx & 0x7fffffff;
25     }
26     /* Get the precision */
27     if( c=='.' ){
28     @@ -248,13 +251,18 @@ void sqlite3VXPrintf(
29     c = *++fmt;
30     if( c=='*' ){
31     precision = va_arg(ap,int);
32     - if( precision<0 ) precision = -precision;
33     c = *++fmt;
34     + if( precision<0 ) {
35     + precision = precision >= -2147483647 ? -precision : -1;
36     + }
37     }else{
38     + unsigned px = 0;
39     while( c>='0' && c<='9' ){
40     - precision = precision*10 + c - '0';
41     + px = px*10 + c - '0';
42     c = *++fmt;
43     }
44     + testcase( px>0x7fffffff );
45     + precision = px & 0x7fffffff;
46     }
47     }else{
48     precision = -1;
49     @@ -418,7 +426,8 @@ void sqlite3VXPrintf(
50     for(idx=precision, rounder=0.4999; idx>0; idx--, rounder*=0.1);
51     #else
52     /* It makes more sense to use 0.5 */
53     - for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){}
54     + testcase( precision>0xfff );
55     + for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){}
56     #endif
57     if( xtype==etFLOAT ) realvalue += rounder;
58     /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
59     @@ -474,8 +483,10 @@ void sqlite3VXPrintf(
60     }else{
61     e2 = exp;
62     }
63     - if( e2+precision+width > etBUFSIZE - 15 ){
64     - bufpt = zExtra = sqlite3Malloc( e2+precision+width+15 );
65     + if( e2+(i64)precision+(i64)width > etBUFSIZE - 15 ){
66     + bufpt = zExtra = sqlite3Malloc(
67     + e2+(i64)precision+(i64)width+15
68     + );
69     if( bufpt==0 ){
70     pAccum->mallocFailed = 1;
71     return;
72    
73     diff -up sqlite-src-3071700/test/printf.test.old sqlite-src-3071700/test/printf.test
74     --- sqlite-src-3071700/test/printf.test.old 2015-07-03 10:32:28.552140602 +0200
75     +++ sqlite-src-3071700/test/printf.test 2015-07-03 10:35:15.858079592 +0200
76     @@ -472,6 +472,18 @@ do_test printf-1.16.7 {
77     sqlite3_mprintf_int {abc: (%#6d) (%#6x) (%#6o) :xyz}\
78     0xff676981 0xff676981 0xff676981
79     } {abc: (-9999999) (0xff676981) (037731664601) :xyz}
80     +do_test printf-1.17.1 {
81     + sqlite3_mprintf_int {abd: %2147483647d %2147483647x %2147483647o} 1 1 1
82     +} {}
83     +do_test printf-1.17.2 {
84     + sqlite3_mprintf_int {abd: %*d %x} 2147483647 1 1
85     +} {}
86     +do_test printf-1.17.3 {
87     + sqlite3_mprintf_int {abd: %*d %x} -2147483648 1 1
88     +} {abd: 1 1}
89     +do_test printf-1.17.4 {
90     + sqlite3_mprintf_int {abd: %.2147483648d %x %x} 1 1 1
91     +} {/.*/}
92     do_test printf-2.1.1.1 {
93     sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 0.001
94     } {abc: (0.0) :xyz}
95     @@ -526,6 +538,9 @@ do_test printf-2.1.2.8 {
96     do_test printf-2.1.2.9 {
97     sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20
98     } {abc: 1 1 (1e-20) :xyz}
99     +do_test printf-2.1.2.10 {
100     + sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20
101     +} {abc: }
102     do_test printf-2.1.3.1 {
103     sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
104     } {abc: (1.0) :xyz}
105     @@ -3466,6 +3481,15 @@ do_test printf-3.5 {
106     do_test printf-3.6 {
107     sqlite3_mprintf_str {%d %d A String: (%-30s)} 1 2 {This is the string}
108     } [format {%d %d A String: (%-30s)} 1 2 {This is the string}]
109     +do_test printf-3.7 {
110     + sqlite3_mprintf_str {%d A String: (%*s)} 1 2147483647 {This is the string}
111     +} []
112     +do_test printf-3.8 {
113     + sqlite3_mprintf_str {%d A String: (%*s)} 1 -2147483648 {This is the string}
114     +} {1 A String: (This is the string)}
115     +do_test printf-3.9 {
116     + sqlite3_mprintf_str {%d A String: (%.*s)} 1 -2147483648 {This is the string}
117     +} {1 A String: (This is the string)}
118     do_test snprintf-3.11 {
119     sqlite3_snprintf_str 2 {x%d %d %s} 10 10 {This is the string}
120     } {x}
121     @@ -3685,6 +3709,9 @@ do_test printf-13.5 {
122     do_test printf-13.6 {
123     sqlite3_mprintf_hexdouble %.20f fff8000000000000
124     } {NaN}
125     +do_test printf-13.7 {
126     + sqlite3_mprintf_hexdouble %2147483648.10000f 4693b8b5b5056e17
127     +} {/100000000000000000000000000000000.00/}
128    
129     do_test printf-14.1 {
130     sqlite3_mprintf_str {abc-%y-123} 0 0 {not used}

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed